Uber, the ride-sharing app, disclosed Tuesday that its Amazon Web Services account (AWS) was hacked last January, compromising personal information of 57,000,000 users worldwide, including 600,000. U.S. drivers.
Uber CEO Dara Khoroshahi, who was appointed in August, stated in a statement that he learned about the hack “recently” even though it occurred in “late 2016” while he was under the supervision of Travis Kalanick. In June, Kalanick resigned from his position as Uber’s CEO.
Khosrowshahi stated that the hack involved two individuals outside of the company who had improperly accessed user data stored on third-party cloud-based services that we use.
A Bloomberg report provided more details about the attack. The hackers gained access Uber’s private GitHub repository and stole the company’s AWS credentials. The hackers then logged in to Uber’s AWS account, downloaded files, and obtained personally identifiable data for millions of app users, including names and phone numbers, as well as driver’s license numbers.
However, the credit card numbers and social security numbers of users are not compromised.
Khosrowshahi stated that “at the time of the incident we took immediate measures to secure the data, and shut down any further unauthorized access by individuals,” “We identified the individuals and received assurances that the data had been deleted. We also took security measures to limit access to our cloud-based storage accounts and to strengthen controls.
Bloomberg reports that Uber paid $100,000 to hackers to keep quiet about the breach. Uber also admitted that it deliberately withheld information about the hack from regulators and affected drivers, as required by law.
Uber now claims it had a legal duty to report the hack both to regulators and drivers whose license numbers were stolen. Bloomberg reported that Uber paid hackers to delete the data, and kept the breach quiet. Joe Sullivan, Uber’s head for cybersecurity at the time, was also fired from the company in response to the hack.
Khosrowshahi stated that Uber is working to improve its security procedures in his statement. Uber is providing affected drivers with identity protection and credit cards at no cost. It also monitors the accounts that have been compromised.